zkLend Hacker Loses $5.4M to Tornado Cash Scam

In an ironic twist of fate, the hacker behind February’s $9.57 million exploit on zkLend has allegedly fallen victim to another scam.

The suspected criminal claimed in an on-chain message that they lost 2,930 ETH, worth about $5.4 million, while trying to launder the stolen funds through Tornado Cash.

The zkLend Hack

zkLend also confirmed the bizarre turn of events in a post on X, stating that the attacker had interacted with a known phishing website, tornadoeth[.]cash, as they attempted to cover their tracks from pursuers.

The scam site is said to have been in operation for the last five years, and it immediately drained the thief’s entire balance of 2,930 ETH. In an on-chain message to zkLend, the attacker appeared crestfallen, saying:

“Hello, I tried to move funds to Tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2,930 ETH have been taken by that site’s owners… Please redirect your efforts towards those site owners to see if you can recover some of the money.”

The saga began in February, a couple of days before Valentine’s, when the Starknet-based lending protocol was hacked for more than $9.5 million. The exploiter, only identified by the address 0x64…9109, reportedly took advantage of a decimal precision vulnerability on zkLend to manipulate rounding errors in its lending accumulator and artificially inflate its balance. As a result, they made off with about 3,700 ETH, forcing the platform to pause withdrawals temporarily.

Following the theft, zkLend attempted to negotiate with the perpetrator, offering them a white hat bounty of 10% of the stolen funds in exchange for the return of the remaining 3,300 ETH. However, the hacker stayed silent, moving the crypto assets through various channels, including 706 ETH valued at $1.8 million sent through Railgun.

Legitimacy Concerns: A Staged Disappearance?

Not everyone has bought the phishing story, though. Many within the crypto community have questioned the hacker’s claim, with the most prevalent theory being that they made up the tale to fake a loss and avoid further scrutiny from blockchain investigators and law enforcement.

Given that zkLend has been actively tracking the stolen funds and working with on-chain security firms and the police, some have argued that this could be a ploy to make the funds disappear without a trace.

Reactions on X quickly flooded in, with some people pointing out the suspicious timing of the announcement. One user, @pvt.eth, sarcastically noted, “Right about time for April Fool.” Others speculated that the phisher and the hacker could be the same person.

Another theory is that the attacker might have transferred the stolen ETH to an alternate address, using the phishing story as a cover-up. @0xGekko was among those unconvinced, stating:

“Meh, screams more like the hacker is trying to avoid any heat from a possible investigation.”

Nonetheless, zkLend is treating the phishing loss as a legitimate event, noting that there isn’t conclusive evidence yet that the phishing website and the exploiter are connected.